1PKI --SCEP(1) strongSwan PKI --SCEP(1)
2
6 pki --scep - Enroll an X.509 certificate with a SCEP server
7
9 pki --scep --url url [--in file] --dn distinguished-name
10 [--san subjectAltName] [--profile profile]
11 [--password password] --ca-cert-enc file --ca-cert-sig file
12 [--cacert file] [--cert file --key file] [--cipher cipher]
13 [--digest digest] [--rsa-padding padding] [--interval time]
14 [--maxpolltime time] [--outform encoding] [--debug level]
15 pki --scep --options file
17 pki --scep -h | --help
19
21 This sub-command of pki(1) sends a PKCS#10 certificate request in an
22 encrypted and signed PKCS#7 container via HTTP to a SCEP server using
23 the Simple Certificate Enrollment Protocol (RFC 8894). After successful
24 authorization which with manual authentication requires periodic
25 polling by the enrollment client, the SCEP server returns an X.509 cer‐
26 tificate signed by the CA.
27 Before the expiry of the current certificate, a new client certificate
29 based on a fresh RSA private key can be requested, using the old cer‐
30 tificate and the old key for automatic authentication with the SCEP
31 server.
32
34 -h, --help
35 Print usage information with a summary of the available options.
36 -v, --debug level
38 Set debug level, default: 1.
39 -+, --options file
41 Read command line options from file.
42 -u, --url url
44 URL of the SCEP server.
45 -i, --in file
47 RSA private key. If not given the key is read from STDIN.
48 -d, --dn distinguished-name
50 Subject distinguished name (DN). Required.
51 -a, --san subjectAltName
53 subjectAltName extension to include in request. Can be used mul‐
54 tiple times.
55 -P, --profile profile
57 Certificate profile name to be included in the certificate re‐
58 quest. Can be any UTF8 string. Supported e.g. by the openxpki
59 SCEP server with profiles (pc-client, tls-server, etc.) that are
60 translated into corresponding Extended Key Usage (EKU) flags in
61 the generated X.509 certificate.
62 -p, --password password
64 The challengePassword to include in the certificate request.
65 -e, --cacert-enc file
67 CA or RA certificate for encryption
68 -s, --cacert-sig file
70 CA certificate for signature verification
71 -C, --cacert file
73 Additional CA certificate in the trust chain used for signature
74 verification. Can be used multiple times.
75 -c, --cert file
77 Client certificate to be renewed.
78 -k, --key file
80 Client RSA private key to be replaced.
81 -E, --cipher cipher
83 Cipher used for symmetric encryption. Either aes (the default)
84 or des3.
85 -g, --digest digest
87 Digest to use for signature creation. One of sha256 (the de‐
88 fault), sha384, sha512, or sha1.
89 -R, --rsa-padding padding
91 Padding to use for RSA signatures. Either pkcs1 (the default) or
92 pss.
93 -t, --interval time
95 Poll interval in seconds, defaults to 60s.
96 -m, --maxpolltime time
98 Maximum poll time in seconds, defaults to 0 which means unlim‐
99 ited polling.
100 -f, --outform encoding
102 Encoding of the created certificate file. Either der (ASN.1 DER)
103 or pem (Base64 PEM), defaults to der.
104
106 To save some typing work the following command line options are stored
107 in a scep.opt file:
108 --url http://pki.strongswan.org:8080/scep
110 --cacert-enc myra.crt
111 --cacert-sig myca-1.crt
112 --cacert myca.crt
113 With the following command, an X.509 certificate signed by the interme‐
115 diate CA is requested from a SCEP server:
116 pki --options scep.opt --in moonKey.der --san "moon.strongswan.org" \
118 --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" > moonCert.der
119 transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
121 using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
122 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
123 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
124 reached self-signed root ca with a path length of 1
125 SCEP request pending, polling indefinitely every 60 seconds
126 going to sleep for 60 seconds
127 transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
128 ...
129 going to sleep for 60 seconds
130 Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
131 serial: 1e:ff:22:7b:6e:d7:4c:c1:8a:06
132 using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
133 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
134 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
135 reached self-signed root ca with a path length of 1
136 Issued certificate is trusted, valid from Aug 22 18:56:23 2022 until Aug 22 18:56:23 2023 (currently valid)
137 A certificate about to expire can be renewed with the command:
139 pki --options scep.opt --in moonNewKey.der --san "moon.strongswan.org" \
141 --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" \
142 --cert moonCert.der --key moonKey.der > moonNewCert.der
143 transaction ID: A9A63D028CC439F68452D125C4DBA025E67DBA95
145 using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
146 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
147 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
148 reached self-signed root ca with a path length of 1
149 Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
150 serial: 1f:ff:b2:78:43:a2:9d:85:00:38
151 using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
152 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
153 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
154 reached self-signed root ca with a path length of 1
155 Issued certificate is trusted, valid from Jul 20 15:05:33 2023 until Jul 20 15:05:33 2024 (currently valid)
156
158 pki(1)
1595.9.9 2022-08-22 PKI --SCEP(1)